There is a vulnerability in SSL3 called POODLE, it is documented in detail here by Google. SSL2 & 3 needs to be disabled in the client browser and on the web server. Below is a registry file that can be copied and run on a Microsoft IIS web servers to disable SSL 2 & 3… Read More »
It is important to realize that although a website might be running under HTTPS it does not guarantee that the session information is not accessible from normal HTTP requests. When a session cookie is generated it is important to make sure that the cookie can only be transmitted over a secure HTTP connection (HTTPS).